Security

OCSP stapling

Server pre-fetches a signed revocation response and attaches it to the handshake.

In plain terms

Faster than client-side OCSP and doesn't leak browsing history to the CA.

Origin

RFC 6066 added the TLS Certificate Status Request extension in 2011. Lets the server pre-fetch a signed OCSP response and ship it during the handshake instead of the client hitting the CA directly.

Where it shows up in production

Nginx, Apache, Caddy All three support ssl_stapling. Removes one extra round-trip and stops the CA seeing every visitor's IP.
Must-Staple flag A certificate extension that requires stapling. Lets browsers fail closed when stapling is broken.

On Semicolony

Guide https

Sources & further reading

RFC RFC 6066 §8 — Certificate Status Request
Docs Mozilla — OCSP stapling guide

Found this useful?